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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address ~ 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to communication(s) filed on 05/25/2005 (Amendment) , 
2a)[3 This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for fonnal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parfe Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 8-14 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) ^ Claim(s) 8-14 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10) IE The drawing(s) filed on 24 May 2001 is/are: a)K accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) 13 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)IEl All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received, 

2.n Certified copies of the priority documents have been received in Application No. . 



3.n Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . Applicant's amendment filed on May 25, 2005 has been entered. Claims 
8-14 are pending. 

Claim Rejections - 35 USC §103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 8-14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Ylonen et a! (US 6,438,612 B1), and further in view of Moles et a! (US 6,725,056 
B1). 

a. Referring to claim 8: 
i. Ylonen teaches: 

(1) at least one IP forwarder arranged to receive IP 
packets each of which is associated with a Security Association (SA), the at least one IP 
foHA/arder is further arranged to determine the destinations of the packets, and to 
forward the packets to their destinations p.e., referring to Figure 3, for Ylonen's 
Invention to be applicable we will assume that some arbitrary protocol (where IP 
forwarder could include in this protocol) exists for setting up a context for 
securely tunneling data packets from the transmitting device 301 through the 
connection 303 to the receiving device 302. As an example we will consider the 
IKE and IPSEC protocols mentioned previously. Setting up said context will then 
correspond to having a negotiation between the two devices, during which 
negotiation they will first authenticate themselves to each other and thereafter 
agree upon a shared secret, an authentication and/or encryption method to be 
used for the communication and on a security parameter index (SPI) value. The 
results of the negotiation will be locally stored at both devices, which is 
illustrated in FIG. 3 with the schematic memory blocks 304 and 305 (column 5, 
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lines 56-67 through column 6, lines 1-2). In addition, Using the language of the 
IKE and IPSEC protocols, the result of the negotiation between the devices 301 
and 302 is a security association (or a well-defined group of security 
associations) (column 6, lines 58-61)]; 

(2) a plurality of security procedure modules coupled to 
the IP forwarder(s) and arranged to implement security procedures for received IP 
packets in parallel [i.e., referring to Figures 6 & 7, it is possible to have in each 
physical computer device 601 only a single module 602 performing IPSEC 
processing, and to have e.g. all virtual routers 603a, 603b and 603c in a physical 
router share the same IPSEC module. In an alternative architecture according to 
FIG. 7 each virtual router 703a, 703b and 703c can have its own IPSEC processor 
702a, 702b and 702c, but the different processors have a shared data structure 
704 that they use for allocating SPI values (either by actually having a single store 
for SAs or SPIs, or by checking the SPIs used by every other virtual router before 
allocating an SPI value). In a third alternative architecture the range of possible 
SPI values may be partitioned so that the virtual router identifier is encoded into 
the SPI value (either in a fixed number of bits, or using any suitable arithmetic 
coding method to combine a virtual network identifier and a SPI index). 
Variations and intermediate forms of these architectures can also be used. When 
there are multiple IPSEC processing modules, and the SPI can be used to identify 
the IPSEC processing module, no explicit virtual network identifiers are needed 
(column 8, lines 46-66)]; and 

(3) a security controller arranged to allocate negotiated 
SAs amongst the security procedure modules and to notify the security procedure 
modules and the IP forwarder(s) of the allocation, whereby the at least one IP forwarder 
can send IP packets to the security procedure module implementing the associated SA 
[i.e., Figure 4 shows more detailed view of a transmitting device 401, a receiving 
device 402 and two-way communication connection 403 between them. Both the 
transmitting device 401 and the receiving device 402 have an automatic key 
manager block 404 and an IPSEC block 405 that communicate with a security 
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policy database 406. We may keep the previously made assumption that the 
automatic key manager blocks 404 apply the IKE protocol for setting up the 
security association (column 7, lines 18-26)]. 

ii. Although Ylonen does not explicitly mention about a security 
controller in Figures 3 and 4, the negotiation process that Ylonen has mentioned in 
these two Figures should at least include a controller included in the communication in 
order to establish an entire IP Security Association. However, Moles teaches: 

(1) Figure 4 illustrates in greater detail provisioning 
security controller 265 in accordance with one embodiment of Moles' invention. 
Exemplary provisioning security controller 265 comprises data processor 405 and 
memory 410, which contains storage space for data burst-IP packet conversion 
application program 415, incoming traffic channel data field 420, outgoing traffic channel 
data field 425, incoming IP packet data field 430, and outgoing IP packet data field 435 
(column 10, lines 19-27). 

iii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) have included a security controller in Ylonen's 
invention concerning the secure transmission of data packets in a network. 

iv. The ordinary skilled person would have been motivated to: 
(1) have included a security controller in Ylonen's 

invention since it is an object of the invention that it is applicable in the course of secure 
tunneling of data between virtual routers irrespective of the actual method of 
implementing the packet authentication and/or encryption (column 3, lines 52-55 of 
Ylonen). 

b. Referring to claims 9-11: 

i. These claims have limitations that is similar to those of claim 
12, thus they are rejected with the same rationale applied against claim 12 above. 

c. Ref erring to claim 12: 

i. Ylonen further teaches: 
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(1) wherein the security controller is coupled to an 
Internet Key Exchange (IKE) module which is responsible for negotiating SAs with peer 
IKE modules, and the security controller is arranged to receive from the IKE module 
details of negotiated Sas [i.e., Figure 4 is a slightly more detailed view of a 
transmitting device 401, a receiving device 402 and two-way communication 
connection 403 between them. Both the transmitting device 401 and the 
receiving device 402 have an automatic key manager block 404 and an IPSEC 
block 405 that communicate with a security policy database 406. We may keep 
the previously made assumption that the automatic key manager blocks 404 
apply the IKE protocol for setting up the security association Furthermore, once 
the negotiation between the automatic key managers 404 is complete and the new 
security association is set up, both the transmitting device and the receiving 
device enter the information describing the security association into their 
security policy database. The stored information is then used for the processing 
of individual packets (column 7, lines 18-51)]. 

d. ReferrifiQ to claim 13: 

i. Moles further teaches: 

(1) wherein at least one of the at least one IP fonA^arder, 
security procedure modules, and/or security controller are implemented in software or in 
hardware, or in a combination of hardware and software [i.e., the term "controller" 
means any device, system or part thereof that controls at least one operation, 
such a device may be implemented in hardware, firmware or software, or some 
combination of at least two of the same (column 5, lines 15-18)]. 

e. Referring to claim 14: 

i. This claim consist a method of processing IP packets at a 
network networking device to implement claim 1 and is rejected by the same prior art of 
record. 

Response to Argument 

4, Applicant's arguments filed May 25, 2005 have been fully considered but 
they are not persuasive. 
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Applicant argues that: 

The combination of Ylonen and Moles references fails to teach utilizing a 
security controller that allocates negotiated Sas among a plurality of security procedure 
modules and notifies the security procedure modules and the IPFWs involved of the 
allocation. Nor does the combination disclose the at least on IPFW nor the plurality of 
security procedure modules. 

Examiner totally disagrees with the applicant and still maintains that: 

The combination of Ylonen and Moles teach the claimed subject matter. 
The rejection of claims 8-14 was made in the previous office action and repeated again 
in this office action. According to Ylonen's invention, data packets are communicated 
between a transmitting virtual router in a transmitting computer device and a receiving 
virtual router in a receiving computer device. A security association is established for 
the secure transmission of data packets between the transmitting computer device and 
the receiving computer device. The transmitting virtual router and the receiving virtual 
router are identified within said security association. In the transmitting computer 
device, the security association for processing a data packet coming from the 
transmitting virtual router is selected on the basis of the identification of the 
transmitting virtual router within the security association (emphasis added). In 
the receiving computer device, the security association for processing a data 
packet coming from the transmitting computer device is selected on the basis of 
values contained within the data packet (emphasis added). In the receiving 
computer device, the data packet processed within the security association is directed 
to the receiving virtual router on the basis of the identification of the receiving virtual 
router within the security association. Ylonen's invention is very much similar to 
applicant's invention for processing IPsec data packets. Therefore, by using only 
Ylonen, the rejection could have been proper and sufficient (see Ylonen's abstract). 

In response to applicant's argument that there is no suggestion to combine 
the references, the examiner recognizes that obviousness can only be established by 
combining or modifying the teachings of the prior art to produce the claimed invention 
where there is some teaching, suggestion, or motivation to do so found either in the 
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references themselves or in the knowledge generally available to one of ordinary skill in 
the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988)and In re 
Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). In this case, the combination 
of teachings between Ylonen and Moles are sufficient. 

Ylonen and Moles do not need to disclose anything over and above the 
invention as claimed in order to render it unpatentable or anticipate. A recitation of the 
intended use of the claimed invention must result in a structural difference between the 
claimed invention and the prior art in order to patentably distinguish the claimed 
invention from the prior art. If the prior art structure is capable of performing the 
intended use, then it meets the claimed limitations. 

For the above reasons, it is believed that the rejections should be 

sustained. 

Conclusion 

5. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is 
not mailed until after the end of the THREE-MONTH shortened statutory period, then 
the shortened statutory period will expire on the date the advisory action is mailed, and 
any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Thanhnga (Tanya) Truong whose telephone number 
is 571-272-3858. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached at 571-272-3859. The central fax 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Any inquiry of a general nature or relating to the status of this application 
or proceeding should be directed to the receptionist whose telephone number is 571- 
272-2100. 

Please notice that the central fax number has changed. To give 
customers time to adjust to the new Central FAX Number, faxes sent to the old number 
(703-872-9306) will be routed to the new number only until September 15 . 2005. 
(Note that since this new number is already operational, customers can use either 
number until September 15). 

TBT 

February 1 9, 2005 

SUPERVISORY PAT 
TECHM0L08V uL,, 




